URL Protocol Injection

Medium+100 XPA03:2021 InjectionCWE-79

XSSOpen RedirectURL Validation

Scenario

Your application accepts a redirect URL from a query parameter and uses it in a Location header or href attribute after login.

The current sanitiseRedirectUrl function only blocks the exact string javascript:, so an attacker can bypass it with JAVASCRIPT:, java\tscript:, or data:.

A successful bypass lets an attacker craft a login link that executes JavaScript in the victim's browser when the redirect fires.

javascript: URL injection and open redirects are frequently chained in phishing attacks. A single missing case-normalisation step can render an entire allowlist bypass trivial.

Your Tasks

Fix sanitiseRedirectUrl to strip leading whitespace and control characters, then normalise the URL to lowercase before checking its protocol.
Block any URL whose normalised form starts with javascript: or data:, returning "/" as a safe fallback.
Legitimate http://, https://, and relative (/) URLs must be returned unchanged.

Examples

Example 1 — Bypass with uppercase (bug)

sanitiseRedirectUrl('JAVASCRIPT:alert(1)')
// returns 'JAVASCRIPT:alert(1)' — not blocked!

Example 2 — Blocked (fix)

sanitiseRedirectUrl('JAVASCRIPT:alert(1)')
// returns '/'

Constraints

›Return the original (un-lowercased) URL for safe inputs — only normalise for comparison.
›Return exactly "/" for any blocked URL.
›Tab and other control characters embedded in the protocol must also be blocked.

Hint

References

https://cheatsheetseries.owasp.org/cheatsheets/Unvalidated_Redirects_and_Forwards_Cheat_Sheet.html https://owasp.org/www-project-top-ten/2021/A03_2021-Injection https://portswigger.net/web-security/dom-based/open-redirection

solution.js

Ln 1, Col 1│UTF-8│JavaScript

Sandbox ready

0/0/0not run